Advice Request Hypervisor Enforced Code Integrity (HVCI) shows as Disabled (0) on registry but enabled on Windows Defender and System Information

Please provide comments and solutions that are helpful to the author of this topic.

ItsReallyMe

ItsReallyMe

Level 10
Thread author
Verified
Well-known
Dec 21, 2017
478
Why Code Integrity shows as enabled in all other places except registry
on Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity it shows Enables DWORD 32 as 0 when it should be 1 for Code Integrity to be enabled.
I want to use Code Integrity but I am not sure if its actually enabled or its a glitch on MS defender and System Information as on Registry is shows as Disabled (0)
and also How to enable Firmware Protection ?


1671286420746.png

1671286489080.png

1671286520385.png
 
  • Like
Reactions: ForgottenSeer 99372 and Jack
Andrezj

Andrezj

Level 6
Nov 21, 2022
248
code integrity is for kernel driver signature enforcement
code integrity is not associated with core isolation and memory integrity

learn.microsoft.com

Code Integrity Diagnostic System Log Events - Windows drivers

Code Integrity Diagnostic System Log Events
learn.microsoft.com

first sentence "The Code Integrity component of Windows Vista and later versions of Windows enforces the requirement that kernel-mode drivers be signed in order to load."

code integrity should be enabled by default, to enable it secure boot must be present and enabled, tpm must also be enabled to enable firmware protection

if you are running an out of date version of windows, windows 10, and this could be the problem because the build you are running might have a problem with the code integrity feature

the image of firmware not enabled is an indicator that tpm\secure boot are not enabled on your system or your bios is out of date, if your hardware is not compatible with windows 11 then that can be why tpm is not working

in bios virtualization features must also be enabled for code integrity and firware protection

if you are in an enterprise enviornment such as connected to active directory domain or using intune, then you must contact your administrator to enable or sort out the problem with code integrity
 
Last edited:
ItsReallyMe

ItsReallyMe

Level 10
Thread author
Verified
Well-known
Dec 21, 2017
478
Andrezj said:
code integrity is for kernel driver signature enforcement
code integrity is not associated with core isolation and memory integrity

learn.microsoft.com

Code Integrity Diagnostic System Log Events - Windows drivers

Code Integrity Diagnostic System Log Events
learn.microsoft.com

first sentence "The Code Integrity component of Windows Vista and later versions of Windows enforces the requirement that kernel-mode drivers be signed in order to load."

code integrity should be enabled by default, to enable it secure boot must be present and enabled, tpm must also be enabled to enable firmware protection

if you are running an out of date version of windows, windows 10, and this could be the problem because the build you are running might have a problem with the code integrity feature

the image of firmware not enabled is an indicator that tpm\secure boot are not enabled on your system or your bios is out of date, if your hardware is not compatible with windows 11 then that can be why tpm is not working

in bios virtualization features must also be enabled for code integrity and firware protection

if you are in an enterprise enviornment such as connected to active directory domain or using intune, then you must contact your administrator to enable or sort out the problem with code integrity
Click to expand...
No I have Secureboot, TPM and Bitlocker Enabled!
 
Andrezj

Andrezj

Level 6
Nov 21, 2022
248
ItsReallyMe said:
No I have Secureboot, TPM and Bitlocker Enabled!
Click to expand...
how old is your computer?
your bios might be out of date and it needs update
are you running windows 10 or 11?
what edition - it looks like enterprise? (some features will not work right on enterprise unless managed by active directory or intune or other management)
are you running windows 11 on compatible hardware (hardware that is from 2016 or before can not be compatible with tpm 2.0, it depends upon oem)?

that instance of windows shown in your image is not running in a virtual machine, is it?

run tpm.msc and check that tpm version 2.0 is available when running (for windows 11)
run devmgmt.msc and check security devices to confirm tpm is running

bitlocker has nothign to do with code integrity (for sure)

vitualization features need to be enabled in bios for code integrity
learn.microsoft.com

Enable memory integrity - Windows Security

This article explains the steps to opt in to using memory integrity on Windows devices.
learn.microsoft.com

ok, i see, microsoft changed legacy code integrity to memory integrity, apologies for saying that code integrity and memory integrity are not connected
learn.microsoft.com

Memory integrity enablement

Memory integrity enablement
learn.microsoft.com

you already know the keys, settign the code intgreity key to 1 = enabled might displease you because you do not know why it is disabled, but that is the nature of information technology
learn.microsoft.com

Memory integrity enablement

Memory integrity enablement
learn.microsoft.com

to be certain, do a clean install of windows or restore from a known good backup image or reset your pc

you are obviously an advacnced user, did you play with group policy, did you mess with intune, apply mdac, did you do registry hacks, did you disable services, is the system domain joined - these and other advanced topics can all affect code integrity

if system domain joined then admin can disable code integrity


the code integrity disabled in the registry but showing as enabled in the windows gui is a known bug

the bigger problem is that the firmware protection is disabled, that firmware managed by administrator is an indication of an underlying problem\compatibility issue with hardware\tpm module if system is not managed by active directory\intune or other way

enable code integrity by setting registry key should enable firmware protection after system reboot
if you enable code integrity in registry and it is showing disabled in registry after system reboot then it can be any of a number of things, namely hardware issue
 
Last edited:
  • Thanks
Reactions: ItsReallyMe
ItsReallyMe

ItsReallyMe

Level 10
Thread author
Verified
Well-known
Dec 21, 2017
478
Thank you for replying
its made in 2019
running Win 11 PRO
bios date is 06/06/2019

I fixed the issue by changing HVCIMATRrequired from 1 to 0 on registry at Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity

Now HVCI shows enabled everywhere!
Andrezj said:
how old is your computer?
your bios might be out of date and it needs update
are you running windows 10 or 11?
what edition - it looks like enterprise? (some features will not work right on enterprise unless managed by active directory or intune or other management)
are you running windows 11 on compatible hardware (hardware that is from 2016 or before can not be compatible with tpm 2.0, it depends upon oem)?

that instance of windows shown in your image is not running in a virtual machine, is it?

run tpm.msc and check that tpm version 2.0 is available when running (for windows 11)
run devmgmt.msc and check security devices to confirm tpm is running

bitlocker has nothign to do with code integrity (for sure)

vitualization features need to be enabled in bios for code integrity
learn.microsoft.com

Enable memory integrity - Windows Security

This article explains the steps to opt in to using memory integrity on Windows devices.
learn.microsoft.com

ok, i see, microsoft changed legacy code integrity to memory integrity, apologies for saying that code integrity and memory integrity are not connected
learn.microsoft.com

Memory integrity enablement

Memory integrity enablement
learn.microsoft.com

you already know the keys, settign the code intgreity key to 1 = enabled might displease you because you do not know why it is disabled, but that is the nature of information technology
learn.microsoft.com

Memory integrity enablement

Memory integrity enablement
learn.microsoft.com

to be certain, do a clean install of windows or restore from a known good backup image or reset your pc

you are obviously an advacnced user, did you play with group policy, did you mess with intune, apply mdac, did you do registry hacks, did you disable services, is the system domain joined - these and other advanced topics can all affect code integrity

if system domain joined then admin can disable code integrity


the code integrity disabled in the registry but showing as enabled in the windows gui is a known bug

the bigger problem is that the firmware protection is disabled, that firmware managed by administrator is an indication of an underlying problem\compatibility issue with hardware\tpm module if system is not managed by active directory\intune or other way

enable code integrity by setting registry key should enable firmware protection after system reboot
if you enable code integrity in registry and it is showing disabled in registry after system reboot then it can be any of a number of things, namely hardware issue
Click to expand...
 
  • +Reputation
Reactions: oldschool

Similar threads

silversurfer
    • Like
    • +Reputation
    • Thanks
New Update Windows 11 Version 21H2 non-security release preview build 22000.2124 is now available
Replies
1
Views
542
Windows 11
CyberTech
CyberTech
Bot
    • Like
    • Thanks
New Update Releasing Windows 10 Build 19045.3154 to Release Preview Channel
Replies
0
Views
588
Windows 10
Bot
Bot
Gandalf_The_Grey
    • Like
Guide | How To Fix Windows and Linux Showing Different Times When Dual Booting
Replies
0
Views
636
Guides - Privacy & Security Tips
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top